Bug#636314: marked as done (apt: Packages.bz2 checksum mismatch not detected)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 15 Aug 2011 12:02:18 +0000
with message-id <E1Qsvs2-0006UR-8k@franck.debian.org>
and subject line Bug#636314: fixed in apt 0.8.15.6
has caused the Debian Bug report #636314,
regarding apt: Packages.bz2 checksum mismatch not detected
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
636314: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=636314
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: apt: Packages.bz2 checksum mismatch not detected
• From: Hamish Moffatt <hamish@debian.org>
• Date: Tue, 02 Aug 2011 04:14:18 -0400
• Message-id: <[🔎] 20110802081418.28159.9767.reportbug@li154-67.members.linode.com>

Package: apt
Version: 0.8.10.3+squeeze1
Severity: important

I have a test repository containing a Packages.bz2 file with different
checksums than what is listed in the signed Release file. However,
'apt-get update' does not report any error and shows the resulting
packages in the output of 'apt-cache policy'.

This occurs when accessing the repository with http. I think I have seen
errors reported when using file:/ urls (and uncompressed Packages) files
but I am not certain now.

I've attached a test repository; it's not signed, but I've tried with
signed repositories too. eg rsync dists/squeeze from a Debian mirror
then mess with main/binary-i386/Packages.bz2

-- Package-specific info:

-- apt-config dump --

APT "";
APT::Architecture "i386";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Acquire "";
APT::Acquire::Translation "environment";
APT::NeverAutoRemove "";
APT::NeverAutoRemove:: "^firmware-linux.*";
APT::NeverAutoRemove:: "^linux-firmware$";
APT::NeverAutoRemove:: "^linux-image.*";
APT::NeverAutoRemove:: "^kfreebsd-image.*";
APT::NeverAutoRemove:: "^linux-restricted-modules.*";
APT::NeverAutoRemove:: "^linux-ubuntu-modules-.*";
APT::Never-MarkAuto-Sections "";
APT::Never-MarkAuto-Sections:: "metapackages";
APT::Never-MarkAuto-Sections:: "restricted/metapackages";
APT::Never-MarkAuto-Sections:: "universe/metapackages";
APT::Never-MarkAuto-Sections:: "multiverse/metapackages";
APT::Never-MarkAuto-Sections:: "oldlibs";
APT::Never-MarkAuto-Sections:: "restricted/oldlibs";
APT::Never-MarkAuto-Sections:: "universe/oldlibs";
APT::Never-MarkAuto-Sections:: "multiverse/oldlibs";
Dir "/";
Dir::State "var/lib/apt/";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::mirrors "mirrors/";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt/";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt/";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::vendorlist "vendors.list";
Dir::Etc::vendorparts "vendors.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Media "";
Dir::Media::MountPath "/media/apt";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
DPkg "";
DPkg::Pre-Install-Pkgs "";
DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true";
CommandLine "";
CommandLine::AsString "apt-config dump";

-- (no /etc/apt/preferences present) --


-- /etc/apt/sources.list --


#deb http://ftp.us.debian.org/debian/ etch main non-free contrib
#deb http://http.us.debian.org/debian/ etch main non-free contrib
#deb-src http://ftp.us.debian.org/debian/ etch main non-free contrib
#
#deb http://security.debian.org/ etch/updates main contrib non-free
#deb http://volatile.debian.org/debian-volatile etch/volatile main

deb http://ftp.us.debian.org/debian/ squeeze main non-free contrib
deb-src http://ftp.us.debian.org/debian/ squeeze main non-free contrib
deb http://ftp.us.debian.org/debian/ squeeze-updates main non-free contrib
deb-src http://ftp.us.debian.org/debian/ squeeze-updates main non-free contrib

deb http://security.debian.org/ squeeze/updates main contrib non-free
#deb http://volatile.debian.org/debian-volatile squeeze/volatile main

#deb http://www.backports.org/debian squeeze-backports main contrib non-free

-- System Information:
Debian Release: 6.0.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.39.1-linode34 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apt depends on:
ii  debian-archive-keyring  2010.08.28       GnuPG archive keys of the Debian a
ii  gnupg                   1.4.10-4         GNU privacy guard - a free PGP rep
ii  libc6                   2.11.2-10        Embedded GNU C Library: Shared lib
ii  libgcc1                 1:4.4.5-8        GCC support library
ii  libstdc++6              4.4.5-8          The GNU Standard C++ Library v3
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

apt recommends no packages.

Versions of packages apt suggests:
pn  apt-doc               <none>             (no description available)
ii  aptitude              0.6.3-3.2          terminal-based package manager (te
ii  bzip2                 1.0.5-6            high-quality block-sorting file co
ii  dpkg-dev              1.15.8.11          Debian package development tools
ii  lzma                  4.43-14            Compression method of 7z format in
ii  python-apt            0.7.100.1+squeeze1 Python interface to libapt-pkg

-- no debconf information

Attachment: test-bz2-hash-error.tar
Description: Unix tar archive

--- End Message ---

--- Begin Message ---

• To: 636314-close@bugs.debian.org
• Subject: Bug#636314: fixed in apt 0.8.15.6
• From: Michael Vogt <mvo@debian.org>
• Date: Mon, 15 Aug 2011 12:02:18 +0000
• Message-id: <E1Qsvs2-0006UR-8k@franck.debian.org>

Source: apt
Source-Version: 0.8.15.6

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive:

apt-doc_0.8.15.6_all.deb
  to main/a/apt/apt-doc_0.8.15.6_all.deb
apt-transport-https_0.8.15.6_amd64.deb
  to main/a/apt/apt-transport-https_0.8.15.6_amd64.deb
apt-utils_0.8.15.6_amd64.deb
  to main/a/apt/apt-utils_0.8.15.6_amd64.deb
apt_0.8.15.6.dsc
  to main/a/apt/apt_0.8.15.6.dsc
apt_0.8.15.6.tar.gz
  to main/a/apt/apt_0.8.15.6.tar.gz
apt_0.8.15.6_amd64.deb
  to main/a/apt/apt_0.8.15.6_amd64.deb
libapt-pkg-dev_0.8.15.6_amd64.deb
  to main/a/apt/libapt-pkg-dev_0.8.15.6_amd64.deb
libapt-pkg-doc_0.8.15.6_all.deb
  to main/a/apt/libapt-pkg-doc_0.8.15.6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 636314@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Vogt <mvo@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 15 Aug 2011 09:20:35 +0200
Source: apt
Binary: apt apt-doc libapt-pkg-dev libapt-pkg-doc apt-utils apt-transport-https
Architecture: source all amd64
Version: 0.8.15.6
Distribution: unstable
Urgency: low
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Michael Vogt <mvo@debian.org>
Description: 
 apt        - Advanced front-end for dpkg
 apt-doc    - Documentation for APT
 apt-transport-https - APT https transport
 apt-utils  - APT utility programs
 libapt-pkg-dev - Development files for APT's libapt-pkg and libapt-inst
 libapt-pkg-doc - Documentation for APT development
Closes: 636314
Changes: 
 apt (0.8.15.6) unstable; urgency=low
 .
   [ Michael Vogt ]
   * apt-pkg/contrib/fileutl.{cc,h}:
     - add GetModificationTime() helper
   * apt-pkg/pkgcachegen.cc:
     - regenerate the cache if the sources.list changes to ensure
       that changes in the ordering there will be honored by apt
   * apt-pkg/sourcelist.{cc,h}:
     - add pkgSourceList::GetLastModifiedTime() helper
   * apt-pkg/pkgcachegen.{cc,h}:
     - use ref-to-ptr semantic in NewDepends() to ensure that the
       libapt does not segfault if the cache is remapped in between
       (LP: #812862)
     - fix crash when P.Arch() was used but the cache got remapped
   * test/integration/test-hashsum-verification:
     - add regression test for hashsum verification
   * apt-pkg/acquire-item.cc:
     - if no Release.gpg file is found, still load the hashes for
       verification (closes: #636314) and add test
 .
   [ David Kalnischkies ]
   * lots of cppcheck fixes
Checksums-Sha1: 
 2be9992b140d381ace377f779f5741af760946cb 1358 apt_0.8.15.6.dsc
 4bcdfc7d745f7a4d50cf73a9afed2bbbc5ee6bb4 3378253 apt_0.8.15.6.tar.gz
 95704778a835b2664e3cb295a42ff3d3c3f2b0b9 241060 apt-doc_0.8.15.6_all.deb
 fc568361a6b22ead560943133873c0dee70da31c 738648 libapt-pkg-doc_0.8.15.6_all.deb
 0d097b9146c34a9c3e14d46e697fe61e080bb711 2186030 apt_0.8.15.6_amd64.deb
 516820d3ea67b0f15dc549042a974ba3617cdd82 161102 libapt-pkg-dev_0.8.15.6_amd64.deb
 c6193d68dd10a944706fded7737411f51b50b58c 289080 apt-utils_0.8.15.6_amd64.deb
 fdfdfa488c7e517fbbb812519ad198f8b80e4c64 90970 apt-transport-https_0.8.15.6_amd64.deb
Checksums-Sha256: 
 64110690ca39d3e8964689c0a97176a93edd9fadfc101e209d04e95b9576a041 1358 apt_0.8.15.6.dsc
 bdc36fdfb7727a120d1ae14b02f8d6b68f9ca4e619c719d6ec17165d5d6b4b0a 3378253 apt_0.8.15.6.tar.gz
 e5c7e6a2b5e12814f9441262521e57ca63ebf7004ac7db527ffb19f1762a0f40 241060 apt-doc_0.8.15.6_all.deb
 f0f65644d91bdcbe5df35485b469ee9d28d7f03d3057c52c0b771fe8b9f9d573 738648 libapt-pkg-doc_0.8.15.6_all.deb
 86902233c0365279961967b3add3aaf18ec0ba84685b0cbe22eeeaf69bea9c88 2186030 apt_0.8.15.6_amd64.deb
 d15e0b38c727343cbd2b4a9c13e7068c4475763b8d07f2e077efa5b9de16aa7c 161102 libapt-pkg-dev_0.8.15.6_amd64.deb
 297d655c291f82939ff4c1b923b08dfe10aee332c4a37215fdcd779d1acf12f1 289080 apt-utils_0.8.15.6_amd64.deb
 2246090e7e70fd21dd536b48bb4c7eb7ccf8e28537677968b0590afc38f6d5d8 90970 apt-transport-https_0.8.15.6_amd64.deb
Files: 
 215112488e5db00a204aac0e1fd134c4 1358 admin important apt_0.8.15.6.dsc
 ed88f451fc5023b4983fe0a326af493f 3378253 admin important apt_0.8.15.6.tar.gz
 569942ab6c900147fb3c0d875b30310c 241060 doc optional apt-doc_0.8.15.6_all.deb
 40e663c4465142231dd7cf3776f1e246 738648 doc optional libapt-pkg-doc_0.8.15.6_all.deb
 c9e48a11c83bd34ecab112d8c74f4559 2186030 admin important apt_0.8.15.6_amd64.deb
 9f01d2f08f17b0781a11c2a5dc456b2e 161102 libdevel optional libapt-pkg-dev_0.8.15.6_amd64.deb
 7cd6d2a3daad7f92fd11c65dbb5fc10b 289080 admin important apt-utils_0.8.15.6_amd64.deb
 da11d07f0c963b784beaa549257c7405 90970 admin optional apt-transport-https_0.8.15.6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk5I2JMACgkQliSD4VZixzRAwQCgmF818taxJco9V4nAgHokdnOa
l3gAniieAWNfgD42LlCkNPMa4edpHtMm
=Rmf5
-----END PGP SIGNATURE-----

--- End Message ---